b'              TABLE OF CONTENTS\n\n\nINSPECTOR GENERAL\xe2\x80\x99S MESSAGE                  i\nNCUA AND OFFICE OF INSPECTOR GENERAL\n                                             1\n  MISSION STATEMENTS\nINTRODUCTION                                 2\nNCUA ORGANIZATIONAL CHART                    5\nNCUA HIGHLIGHTS                              6\nFEDERALLY INSURED CREDIT UNIONS HIGHLIGHTS   9\nLEGISLATIVE HIGHLIGHTS                       11\nOFFICE OF THE INSPECTOR GENERAL              14\n   AUDIT ACTIVITY                            16\n   INVESTIGATIVE ACTIVITY                    26\n   LEGISLATIVE AND REGULATORY REVIEWS        29\nTABLE I \xe2\x80\x93 REPORTS WITH QUESTIONED COSTS      31\nTABLE II \xe2\x80\x93 REPORTS WITH RECOMMENDATIONS\n                                             32\n  THAT FUNDS BE PUT TO BETTER USE\nTABLE III \xe2\x80\x93 SUMMARY OF OIG ACTIVITY          33\nINDEX OF REPORTING REQUIREMENTS              34\n\x0c                                                                  As part of our oversight function and our commitment to\n                                                                  ensure that the agency operates effectively, we premised\n                                                                  the decision to conduct the DOR review on NCUA\xe2\x80\x99s stated\n                                                                  mission:     \xe2\x80\x9cTo facilitate the availability of credit union\n                                                                  services to all eligible consumers, especially those of modest\n                                                                  means, through a regulatory environment that fosters a safe\n                                                                  and sound credit union system.\xe2\x80\x9d The DOR review concluded\n                                                                  that NCUA has a process in place for examiners to\n                                                                  effectively identify deficiencies in the DOR and,\n           INSPECTOR GENERAL\'S MESSAGE                            subsequently, to track credit unions\xe2\x80\x99 efforts to resolve\n                TO THE NCUA BOARD                                 identified deficiencies in a timely manner.\n                AND THE CONGRESS\n                                                                  The OIG conducted the OPF review as part of our continuing\n                                                                  mandate to help promote information and systems security\nThis reporting period saw important and prolific audit\n                                                                  at NCUA. We intend to report fully in the next reporting\nactivity in the Office of Inspector General (OIG), as the audit\n                                                                  period on the final report to management and the agency\xe2\x80\x99s\nstaff conducted reviews in the following areas: (1) a review\n                                                                  response to our recommendations.\nto determine if significant real estate lending risks exist in\nfederally chartered credit unions which should lead to an\n                                                                  More than ever, the OIG is dedicated to accomplishing its\naudit engagement; (2) a review to determine whether NCUA\n                                                                  mission of conducting independent audits, investigations,\nexaminers are preparing Documents of Resolution (DOR) to\n                                                                  and reviews to help the NCUA accomplish its mission;\nreduce areas of unacceptable risk and, subsequently,\n                                                                  improve its effectiveness; and prevent and detect fraud,\nensuring that credit unions are progressing in their efforts to\n                                                                  waste, and abuse. We look forward to working together\naddress and correct deficiencies noted in the DOR; and (3) a\n                                                                  successfully with the agency, now and in the future, to\nreview to determine whether NCUA is accurately maintaining\n                                                                  achieve our strategic mission and goals.\nand storing Official Personnel Folders (OPF), and to evaluate\nthe agency\xe2\x80\x99s ability to migrate to an electronic OPF system.\n\nGiven the ongoing problems in the sub-prime mortgage\nmarket, the OIG\xe2\x80\x99s inquiry into the extent of real estate\nlending risks at federally chartered credit unions, and\nwhether the agency was mitigating those actual or potential\nrisks, was timely. As a result of the review, the OIG                                           William A. DeSarno\nrecommended, among other things, that NCUA management                                           Inspector General\nreview the current tracking and reporting of sub-prime\nmortgages and determine if these mortgages should be\nspecifically reported on the credit union quarterly report.\n\n                               i                                                                ii\n\x0c                THE NCUA MISSION\n                                                                                     INTRODUCTION\nNCUA\xe2\x80\x99s charge is to foster the safety and soundness of\nfederally insured credit unions and to better enable the credit   The National Credit Union Administration (NCUA) was\nunion community to extend the availability of financial           established as an independent, federal regulatory agency on\nservices for provident and productive purposes to all who         March 10, 1970. The agency is responsible for chartering,\nseek such service, while recognizing and encouraging credit       examining, supervising, and insuring federal credit unions. It\nunions\xe2\x80\x99 historical emphasis on extension of financial services    also insures state-chartered credit unions that have applied\nto those of modest means.                                         for insurance and have met National Credit Union Share\n                                                                  Insurance requirements. The NCUA is funded by the credit\nThe NCUA\xe2\x80\x99s mission is accomplished by managing the                unions it supervises and insures. As of June 30, 2007, the\nNational Credit Union Share Insurance Fund in an efficient        NCUA was supervising and insuring 5,118 federal credit\nand prudent manner through an effective supervision               unions and insuring 3,120 state-chartered credit unions, a\nprogram and a regulatory environment that encourages              total of 8,238 institutions. This represents a decline of 71\ninnovation, flexibility and continued focus on attracting new     federal and 53 state-chartered institutions since December\nmembers and improving financial service to existing               31, 2006, for a total decline of 124 credit unions nationwide,\nmembers.                                                          primarily as a result of mergers.\n\n                                                                  The NCUA operates under the direction of a Board composed\n                                                                  of three members. Board members are appointed by the\n                                                                  President and confirmed by the Senate. They serve six-year\n                                                                  terms. Terms are staggered, so that one term expires every\n                                                                  two years. The Board is responsible for the management of\n THE OFFICE OF INSPECTOR GENERAL MISSION                          the National Credit Union Administration, including the NCUA\n                                                                  Operating Fund, the Share Insurance Fund, the Central\nThe OIG promotes the economy, efficiency, and effectiveness       Liquidity Facility, and the Community Development Revolving\nof NCUA programs and operations, and detects and deters           Loan Fund.\nfraud, waste, and abuse, thereby supporting the NCUA\xe2\x80\x99s\nmission of monitoring and promoting safe and sound federally      The NCUA executes its program through its central office in\ninsured credit unions.                                            Alexandria, Virginia and regional offices in Albany, New York;\n                                                                  Alexandria, Virginia; Atlanta, Georgia; Austin, Texas; and\nWe accomplish our mission by conducting independent audits,       Tempe, Arizona.       The NCUA also operates the Asset\ninvestigations, and other activities, and by keeping the NCUA     Management and Assistance Center (AMAC) in Austin, Texas.\nBoard and the Congress fully and currently informed of our        Please refer to the NCUA organizational chart on page 5.\nwork.\n\n\n                              1                                                                 2\n\x0cThe NCUA Board adopted its 2007 budget of $152,016,840 on\nNovember 16, 2006. The Full-Time Equivalent (FTE) staffing                                 NCUA Budget Dollars\nauthorization for 2007 is 958, remaining unchanged from the     Millions\n2006 total.                                                          153\n                                                                     152\n                                                                     151\n                                                                     150\n                                                                     149\n                                                                     148\n                                                                     147\n          Federally Insured Credit Unions                            146\n                                                                     145\n                                                                     144\n                                                                     143\n10000                                                                        2002      2003       2004     2005    2006   2007\n\n\n8000 3866 3735 3593\n                    3442 3302\n                              3173\n6000\n\n4000                                                                                       NCUA Authorized Staff\n        6118 5953 5776 5572 5393\n                                 5189                         1000\n2000                                                           900\n                                                               800\n    0                                               FISCUs     700\n        2001 2002 2003 2004 2005 2006               FCUs       600\n                                                               500\n                                                               400\n                                                               300\n                                                               200\n                                                               100\n                                                                 0\n                                                                      2002          2003        2004       2005    2006    2007\n\n\n\n\n                            3                                                                          4\n\x0c                                             NCUA HIGHLIGHTS\nNCUA ORGANIZATIONAL CHART\n\n\n                            NCUA DISCUSSING MATRIX ELIMINATION\n\n                            NCUA is working with the National Association of State Credit\n                            Union Supervisors (NASCUS) and reaching out to various\n                            credit union industry trade groups to discuss possible\n                            elimination of the CAMEL Matrix. CAMEL will continue to be\n                            NCUA\xe2\x80\x99s internal rating system. NCUA is confining its review\n                            to the Matrix, an optional examiner tool in use since 1995.\n                            The Matrix consists of static ratio benchmarks. CAMEL is not\n                            an arithmetic score or a comparison to other credit unions of\n                            similar asset sizes. An examiner\xe2\x80\x99s overall assessment of the\n                            credit union is based on numerous factors. As NCUA stated in\n                            Letter to Credit Unions Number 03-CU-04, \xe2\x80\x9cCAMEL is not\n                            intended to be used as a report card but as an internal tool to\n                            measure risk and allocate resources for supervision\n                            purposes.\xe2\x80\x9d\n\n                            NCUA SEEKS DISMISSAL OF CONVERSION RULES\n                            LAWSUIT\n\n                            On September 7, 2007, NCUA filed a motion with the U.S.\n                            District Court for the Eastern District of Virginia, to dismiss a\n                            suit challenging credit union conversion rules promulgated by\n                            NCUA. The organization that filed the original lawsuit, the\n                            Coalition for Credit Union Charter Options, claims in its\n                            complaint that it seeks to preserve charter choice for credit\n                            unions. NCUA\xe2\x80\x99s motion argues that the Coalition lacks\n                            standing to bring its suit against NCUA regulations that\n                            oversee credit union to bank charter conversions. A hearing\n\n\n            5                                              6\n\x0con NCUA\xe2\x80\x99s motion is tentatively scheduled for October 19,        (ARM) products described in the agencies\xe2\x80\x99 Statement on\n2007.                                                            Subprime Mortgage Lending (Subprime Statement), effective\n                                                                 July 10, 2007.       The Subprime Statement recommends\nFFIEC RELEASES REVISED BANK SECRECY/ANTI-                        communications that ensure consumers have clear, balanced,\nMONEY LAUNDERING EXAMINATION MANUAL                              and timely information about the relative benefits and risks of\n                                                                 certain ARM products. The illustrations are intended to assist\nOn August 24, 2007, the Federal Financial Institutions           institutions in providing this information. The illustrations\nExamination Council (FFIEC) released a revised Bank Secrecy      consist of (1) an explanation of some key features and risks\nAct/Anti-Money Laundering (BSA/AML) Examination Manual.          that the Subprime Statement identifies, including payment\nThe revised manual reflects the ongoing commitment of the        shock; and (2) a chart that shows the potential consequences\nfederal and state banking agencies and the Financial Crimes      of payment shock in a concrete, readily understandable\nEnforcement Network (FinCEN) to provide current and              manner. The agencies are seeking public comment on all\nconsistent guidance on risk-based policies, procedures, and      aspects of the proposed illustrations.\nprocesses for banking organizations to comply with the BSA\nand safeguard operations from money laundering and\nterrorist financing.    The 2007 version further clarifies\nsupervisory expectations since the July 28, 2006, update.\nThe NCUA worked with the Board of Governors of the Federal\nReserve System, the Federal Deposit Insurance Corporation,\nthe Office of the Comptroller of the Currency, the Office of\nThrift Supervision, and the Conference of State Bank\nSupervisors to revise the manual in collaboration with FinCEN,\nthe administrator of the BSA. The Office of Foreign Assets\nControl (OFAC) collaborated on the revisions made to the\nsection that addresses compliance with regulations enforced\nby OFAC.\n\nNCUA JOINS FEDERAL FINANCIAL REGULATORS IN\nPROPOSING ILLUSTRATIONS OF CONSUMER\nINFORMATION TO SUPPORT STATEMENT ON\nSUBPRIME MORTGAGE LENDING\n\nThe Federal financial regulatory agencies, including NCUA,\nissued on August 14, 2007, proposed illustrations of\nconsumer information for certain adjustable-rate mortgage\n\n                              7                                                                8\n\x0c    FEDERALLY INSURED CREDIT UNION                                LOANS AND INVESTMENTS INCREASED\n              HIGHLIGHTS\n                                                                  Loan growth of 4.86 percent resulted in an increase in total\n                                                                  loans by $12 billion. Total net loans of $503 billion comprise\nCredit unions submit quarterly call reports (financial and        69 percent of credit union assets.         Real estate loans\noperational data) to the NCUA. An NCUA staff assessment of        increased 9.18 percent. First mortgage real estate loans are\nthe June 30, 2007, quarterly call reports submitted by all        the largest single asset category with $168.9 billion\nfederally insured credit unions found that key financial          accounting for 34 percent of all loans. Other real estate loans\nindicators were stable.                                           of $86.4 billion account for 17% of all loans. Used car loans\n                                                                  of $88.3 billion were 17% of all loans, while new car loans\n                                                                  amounted to $87.7 billion or 17% of total loans. Credit card\nKEY FINANCIAL INDICATORS STABLE                                   loans totaled $28.9 billion or 5% of total loans and other\n                                                                  loans totaled $47.2 billion for 10% of total loans. Total\nLooking at the June 30, 2007 quarterly statistics for major       investments increased 20.16 percent to $141.9 billion.\nbalance sheet items and key ratios shows the following for        Investments with maturities less than one year comprise 60.1\nthe nation\xe2\x80\x99s 8,238 federally insured credit unions: assets grew   percent of total investments.\n8.65 percent; net worth to assets ratio decreased from 11.54\nto 11.40 percent; the loan to share ratio decreased from\n82.23 percent to 80.34 percent; the delinquency ratio\nincreased from .68 to .69 percent; and credit union return on\naverage assets decreased from .82 percent to .75 percent.\n\n\nSAVINGS SHIFTING TO CERTIFICATES OF DEPOSIT\n\nTotal insured share accounts increased 9.68 percent. Share\ncertificates increased 7.08%. Regular shares comprise 29.3\npercent of total share accounts; share certificates comprise\n32.1 percent; money market shares comprise 17.1 percent;\nand share draft accounts comprise 11.4 percent; and all other\nshare accounts comprise 10.1 percent.\n\n\n\n\n                              9                                                                 10\n\x0c                                                                     lending investment limits, and ease restrictions on mergers\n                                                                     and conversions.\n\n            LEGISLATIVE HIGHLIGHTS                                   SUBPRIME MORTGAGE MARKET PRIORITY ISSUE FOR\n                                                                     FINANCIAL SERVICES PANELS\n\n                                                                     When Congress returned to session on September 4, 2007,\nREPRESENTATIVE FRANK ADVOCATES IMPOSING CRA                          House and Senate panels on financial institutions turned their\nRULES ON CREDIT UNIONS                                               attention back to the subprime mortgage market. On\n                                                                     September 5, 2007, Senate Banking Committee Chairman\nHouse Financial Services Chairman Barney Frank, D-Mass.,             Christopher Dodd (D-Conn.) introduced legislation to curb\nrecently told credit union representatives that he would like to     subprime lending abuses. The bill, in part, would clarify\nextend Community Reinvestment Act (CRA) requirements to              mortgage brokers\xe2\x80\x99 fiduciary duty to borrowers and would\ncredit unions and other financial companies. On September            expand the protection for those who assume a high-cost loan\n11, 2007, Rep. Frank spoke before the National Association of        under the 1994 Home Ownership and Equity Protection Act\nFederal Credit Unions (NAFCU), stating that he hopes to hold         (HOEPA). On the same day, his counterpart in the House,\nhearings on the issue next year but said he believes most            Financial Services Chairman Barney Frank (D-Mass.), said he\ncredit unions would pass any new requirements with flying            expects soon to introduce his legislation to address both the\ncolors. Rep. Frank said further that most credit unions              subprime mortgage crisis and predatory lending issues.\nalready invest in their communities and would just have to\n\xe2\x80\x9cdemonstrate or document\xe2\x80\x9d it.                                        NCUA TESTIFIES ON MORTGAGE LENDING CONSUMER\n                                                                     PROTECTION LAWS\nFRANK OPTIMISTIC THAT CURIA WILL CLEAR BOTH\nHOUSE AND SENATE                                                     On July 25, 2007, NCUA Director of Examination and\n                                                                     Insurance, David M. Marquis, testified before the House\nAt the same NAFCU caucus, Rep. Frank also vowed to move              Financial Services Subcommittee on Oversight and\nforward with H.R. 1537, the Credit Union Regulatory                  Investigations on oversight of consumer laws pertaining to\nImprovements Act (CURIA). Rep. Frank confirmed that he is            mortgage lending. Mr. Marquis stressed the priority NCUA\noptimistic that major provisions of CURIA could clear both the       places on ensuring that credit unions comply with all\nHouse and Senate, but that not all of the bill is likely to do so.   nondiscrimination laws and work to protect consumers\nAmong other things, CURIA would raise the cap on business            against discriminatory or unfair home mortgage lending\nlending to 20% of a credit unions\xe2\x80\x99 assets, from 12.25%. It           practices.    NCUA enforces fair lending laws using a\nwould also let any credit union, regardless of charter type,         comprehensive examination process and Home Mortgage\nadd underserved areas to its field of membership, increase           Disclosure Data (HMDA). Further, by reviewing member\n                                                                     complaints, NCUA is able to evaluate each credit union\xe2\x80\x99s\n\n                               11                                                                  12\n\x0ccompliance and gain a more complete picture of how a credit\nunion makes mortgage loans. NCUA continues to refine its\nmethods to oversee fair lending law compliance. Moreover,\n                                                                    OFFICE OF THE INSPECTOR GENERAL\nMr. Marquis testified, NCUA works to ensure that more\nsophisticated training results in a more complete\n                                                                 The Office of the Inspector General was established at the\nunderstanding of lending patterns in specific geographic areas\n                                                                 NCUA in 1989 under the authority of the Inspector General\nas well as heightened awareness of how to detect patterns of\n                                                                 Act of 1978, as amended in 1988. The staff consists of the\ndiscrimination.\n                                                                 Inspector General, Counsel to the Inspector General,\n                                                                 Assistant Inspector General for Audits, Director of\n                                                                 Investigations, two Senior Auditors, Senior Information\n                                                                 Technology Auditor, and Office Manager.\n\n                                                                 The Inspector General reports to, and is under the general\n                                                                 supervision of, the NCUA Board. The Inspector General is\n                                                                 responsible for:\n\n                                                                 1. Conducting, supervising, and coordinating audits and\n                                                                 investigations of all NCUA programs and operations;\n\n                                                                 2. Reviewing policies and procedures to ensure efficient and\n                                                                 economic operations as well as preventing and detecting\n                                                                 fraud, waste, and abuse;\n\n                                                                 3. Reviewing      existing and proposed legislation and\n                                                                 regulations to evaluate their impact on the economic and\n                                                                 efficient administration of agency programs; and\n\n                                                                 4. Keeping the NCUA Board and the Congress apprised of\n                                                                 significant findings and recommendations.\n\n\n\n\n                             13                                                               14\n\x0c                                                                                                AUDIT ACTIVITY\n\n                                                                             AUDIT REPORTS ISSUED\n                  William DeSarno\n\n                         Inspector\n                          General\n                                                                             OIG-07-06 \xe2\x80\x93 July 10, 2007\n                                                                             NCUA\xe2\x80\x99S RISK-FOCUSED EXAMINATIONS TRACKING\n                                                                             IDENTIFIED DOCUMENTS OF RESOLUTION\n                                                                             This survey report follows-up on our prior Risk Focus\n            Sharon                                                           Exam (RFE) review.        Specifically, we evaluated the\n           Regelman                                                          process in place to identify, track and correct deficiencies\n        Office Manager                                                       identified by examiners in Documents of Resolution (DOR)\n                                                                             during supervision and examination contacts at Federal\n                                                                             credit unions (FCUs).\n\n                                                                             We reviewed a judgmental sample of 25 FCUs, five credit\nSharon Separ          Anne Voegele          Jim Hagen                        unions from each of the five NCUA regions that had at\n                                                                             least one outstanding (open) DOR. We concluded that for\nCounsel to the          Director of       Assistant IG for\n     IG               Investigations           Audits                        the 25 DORs we sampled, NCUA examiners were\n                                                                             monitoring in a timely manner the progress of the FCUs to\n                                                                             address and resolve the deficiencies noted in the DOR.\n                                                                             We based our conclusion upon reviews of examiner work\n                                                                             papers and NCUA monitoring reports.\n                      Charles                Dwight          Marvin Stith,\n                  Funderburk, CPA         Engelrup, CPA       CPA, CISA\n                                                                             We also reviewed a second judgmental sample of 25\n                      Senior Auditor      Senior Auditor      Senior IT      FCUs, five credit unions from each of the five NCUA\n                                                               Auditor\n                                                                             regions with at least one closed or resolved DOR. Based\n                                                                             on this sample, we found that in 23 of the 25 instances,\n                                                                             FCUs closed the DOR in accordance with the DOR\n                                                                             resolution date. In one case, the DOR was no longer\n                                                                             applicable and, one DOR was not closed in accordance\n                                                                             with the resolution date. The number of months between\n\n\n                                     15                                                                    16\n\x0cproblem identification and closure of the DOR was             audit engagement. Initially, we attempted to review the\napproximately ten months. We based our conclusion             area of sub-prime mortgages. However, we determined\nupon reviews of examiner work papers and NCUA                 that NCUA does not collect data on sub-prime mortgage\nmonitoring reports.                                           loans via the credit union quarterly call reports. Currently,\n                                                              these loans are captured for reporting purposes within a\nThe NCUA Office of Examination and Insurance (E&I)            much larger group of mortgage loans that include\ninformed us that the agency had developed and                 adjustable rate mortgages as well as balloon/hybrid loans.\nimplemented a national tool for monitoring contact and        Consequently, it was not possible to specifically identify\nDOR information called the AIRES Exam Management              sub-prime mortgage loans.\nConsole \xe2\x80\x93 Online. Additionally, E & I was in the process\nof developing, testing, and implementing five on-line DOR     The Office of Inspector General determined through this\nmonitoring reports that will work outside of the AIRES        survey that an audit of credit union real estate lending is\nsystem.                                                       not warranted at this time primarily because, as explained\n                                                              above, NCUA does not collect data on sub-prime\nBased on information we received about agency work in         mortgages. Furthermore, our sample review of credit\nprogress for supervision contacts and DOR monitoring,         unions with high real estate loans to total loan ratios\nand the results of our review to date, the OIG does not       indicated that such credit unions pose no greater overall\nhave recommendations to the agency for improvement at         risk than all federally chartered credit unions viewed as a\nthis time. We may revisit this area in the future to assess   whole. In reaching this conclusion, we conducted a\nthe additional controls being implemented by the new on-      survey the objectives of which were to:\nline management tools.                                            1. Determine the significance of real estate lending in\n                                                                      the credit union industry;\nOIG-07-07 \xe2\x80\x93 September 5, 2007                                     2. Identify potential real estate lending risks in the\nREAL ESTATE LENDING                                                   credit union industry; and\n                                                                  3. Determine what NCUA is doing to mitigate\nAs of December 31, 2006, federally chartered credit                   identified potential real estate lending risks.\nunions held approximately $131 billion in real estate\nloans. In addition, within the past year the U.S. Congress    Real estate lending is a significant program of federally\nhas shown an interest in regulatory practices with regard     chartered credit unions. A significant percentage (34%)\nto sub-prime mortgage lending, particularly with certain      of federally chartered credit unions has real estate lending\ntypes of adjustable rate mortgages.                           programs. Real estate loans comprise 49% of total loans\n                                                              in federally chartered credit unions and 34% of total\nThe Office of Inspector General conducted an audit survey     assets. Approximately 20% of federal credit unions have\nto determine if there were any real estate lending risks in   25% or more real estate loans to assets and over 4%\nfederally chartered credit unions which could lead to an      have 50% or more real estate loans to assets.\n\n\n                              17                                                             18\n\x0c                                                                       \xe2\x80\xa2   A lack of credit union management planning and\nReal estate lending potentially impacts all seven risk                     oversight in such areas as business plans, asset\ncomponent areas NCUA has identified in its Examiners                       liability management, and budgeted/planned\nGuide:                                                                     parameters directly related to real estate lending.\n \xe2\x80\xa2 Credit risk due to loan underwriting quality and\n    products offered;                                               OIG-07-08 \xe2\x80\x93 September 12, 2007\n \xe2\x80\xa2 Interest rate risk due to mortgage mismatches with               INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION\n    the types of funding and rising interest rates;                 ADMINISTRATION INFORMATION SECURITY PROGRAM 2007\n \xe2\x80\xa2 Liquidity risk that can occur with high loan to share\n    ratios and holding of loans;\n                                                                    The Office of Inspector General for the National Credit Union\n \xe2\x80\xa2 Compliance risk with regard to real estate consumer\n                                                                    Administration engaged Grant Thornton LLP to conduct an\n    compliance regulations;\n                                                                    independent evaluation of its information systems and\n \xe2\x80\xa2 Transaction risk due to the complexity of real estate\n                                                                    security program and controls for compliance with the Federal\n    transactions and products;\n                                                                    Information Security Management Act (FISMA), Title III of\n \xe2\x80\xa2 Strategic risk due to the complexity and foresight in\n                                                                    the E-Government Act of 2002.\n    planning; and\n \xe2\x80\xa2 Reputation risk whereby a credit union may be\n                                                                    Grant Thornton evaluated NCUA\xe2\x80\x99s security program through\n    impacted by all of the above risks.\n                                                                    interviews, documentation reviews, and sample testing. We\n                                                                    evaluated NCUA against standards and requirements for\nNCUA appears to be identifying and addressing most\n                                                                    federal government agencies such as those provided through\npotential real estate lending risks. This is evidenced\n                                                                    FISMA, National Institute of Standards and Technology\nthrough the agency\xe2\x80\x99s issuance of extensive guidance for\n                                                                    (NIST) Special Publications (SPs) and Federal Information\nexaminers and credit unions, identification of risk trends\n                                                                    Processing Standards (FIPS), and Office of Management and\nin quarterly reports, and statistical data analysis.\n                                                                    Budget (OMB) memorandums.          We conducted an exit\nHowever, we identified the following areas where\n                                                                    conference with NCUA officials on June 29, 2007, to discuss\npotential risk may be elevated due to current practices:\n                                                                    evaluation results.\n    \xe2\x80\xa2 A lack of examination documentation 1 in support\n       of examiner loan reviews and consumer\n                                                                    The NCUA made noticeable progress in strengthening its\n       compliance reviews;\n                                                                    Information Technology (IT) security program during Fiscal\n                                                                    Year (FY) 2007. Notable accomplishments include:\n                                                                       \xe2\x80\xa2 Completion of Certification and Accreditation\n   1\n    It is not NCUA policy for examiners to detail work performed          packages for all of its FISMA systems, and\n   during an examination as long as no problems were found by the      \xe2\x80\xa2 Implementation of additional encryption protection\n   examiner. Consequently, while we could not identify all of the\n                                                                          for data on examiner laptops.\n   examination procedures performed, we did find that examiners\n   were following established procedures.\n\n                                 19                                                              20\n\x0cWhile NCUA has made commendable progress in addressing\ndeficiencies reported last year, management could still    The OIG issued two reports during the past year that\nimprove IT security controls in the following areas:       reported on the testing of the effectiveness of information\n  \xe2\x80\xa2 NCUA needs a better document management                security and internal controls:\n       program.                                              \xe2\x80\xa2 On September 12, 2007, the OIG issued a report\n  \xe2\x80\xa2 NCUA has not implemented continuing education                containing an Independent Evaluation of the NCUA\xe2\x80\x99s\n       requirements for its Information Technology               Information Security Program - 2007. The content of\n       employees.                                                the independent evaluation report supports the\n                                                                 conclusions presented in this report.\n  \xe2\x80\xa2 Employee enter/exit/change procedures do not\n       ensure timely removal of terminated employees\xe2\x80\x99        \xe2\x80\xa2 On February 12, 2007, the OIG issued the Financial\n       access to NCUA systems.                                   Statement Audit Report for the year ended December\n                                                                 31, 2006. The purpose of this audit was to express\n  \xe2\x80\xa2 E-Authentication risk assessments for its systems\n                                                                 an opinion on whether the financial statements were\n       need to be completed.\n                                                                 fairly presented. In addition, the internal control\n  \xe2\x80\xa2 A formal agency wide security configuration guide\n                                                                 structure was reviewed and an evaluation of\n       should be developed.\n                                                                 compliance with laws and regulations was performed\n  \xe2\x80\xa2 Incident response procedures should be followed.\n                                                                 as part of the audit. The result of this audit was an\n  \xe2\x80\xa2 Personnel security awareness training needs to be\n                                                                 unqualified opinion, stating that the financial\n       completed in FY 2007.\n                                                                 statements were presented fairly. Although there\n  \xe2\x80\xa2     NCUA\xe2\x80\x99s Plan of Actions and Milestones (POA&M)\n                                                                 were no material weaknesses identified during the\n       process needs improvement.\n                                                                 review of the internal control structures pertinent to\n  \xe2\x80\xa2 Security controls testing for all of NCUA\xe2\x80\x99s FISMA\n                                                                 financial reporting, several recommendations were\n       systems needs to be completed.\n                                                                 made relating to weaknesses in the financial and\n  \xe2\x80\xa2 Segregation of duties should be maintained or\n                                                                 information security areas.\n       compensating controls established.\n  \xe2\x80\xa2 NCUA vulnerability management needs improvement.\n\nOIG-07-09 \xe2\x80\x93 September 12, 2007\nOIG REPORT TO OMB ON THE NATIONAL CREDIT UNION\nADMINISTRATION SECURITY PROGRAM 2007\n\nThis report contains a summary of our evaluation of the\nNCUA\xe2\x80\x99s information security program presented in the OMB\nprescribed format.\n\n\n\n                          21                                                           22\n\x0cAUDITS IN PROGRESS                                                 REVIEW OF THE OFFICE OF SMALL CREDIT UNION INITIATIVES\n\n                                                                   The Office of Small Credit Union Initiatives\xe2\x80\x99 (OSCUI) mission is\nOFFICIAL PERSONNEL FOLDERS                                         to assist in the agency\xe2\x80\x99s risk mitigation program and foster\n                                                                   credit union development, particularly in the expansion of\nOfficial Personnel Folders (OPFs) contain records that             services provided by small credit unions to all eligible\ndocument an individual employee\xe2\x80\x99s Federal government               consumers. Individualized assistance is provided for credit\nemployment history.        The OPF follows an employee             union management and staff that will expand services for\nthroughout his or her Federal career. The OPFs maintained in       consumers (strategic assistance) and enhance credit union\nmany federal agencies, including the National Credit Union         operations (operational assistance).           As part of this\nAdministration (NCUA), are hardcopy (paper) versions. In           assistance, the Community Development Revolving Loan Fund\nrecent years, Congressional hearings have looked at OPF            (the \xe2\x80\x9cFund\xe2\x80\x9d) was established by Congress in 1979, to bring\nmaintenance and the feasibility of agencies\xe2\x80\x99 converting from       basic financial services to communities; increase economic\nthe current paper OPF system to an electronic system. Some         activities in communities; and aid in the efficient operations of\nfederal agencies have already converted and many others are        credit unions. The Fund\xe2\x80\x99s technical assistance grant and loan\nin the process of doing so. Agencies converting from paper to      programs are administered by OSCUI.\nelectronic OPFs can reduce paperwork, storage space, and\nstaff hours to maintain the files. In addition, electronic OPFs    Since inception of the Fund, Congress has appropriated $13.7\nmay improve the accuracy of files, and provide better access       million to the Fund for loans and $3 million to the fund for\nto employees requesting to review their own records.               grants. In 2007, Congress appropriated $940,500 to the Fund\n                                                                   to be used for grants. The OIG has not reviewed this\nDue to the importance of OPFs, the current Federal emphasis        operation at NCUA in the past and initiated a survey in\non protecting Personally Identifiable Information (PII), and the   September 2007, to obtain an understanding of the Office of\nattention to this issue by the Office of Management and            Small Credit Union Initiatives. Specifically, we will determine\nBudget (OMB), as part of the President\xe2\x80\x99s Management                (1) How are grant and loan funds awarded? (2) Are grants\nAgenda, the Office of Inspector General (OIG) added this           awarded competitively?       and (3) What grant and loan\nsurvey review to its 2007 Annual Performance Plan. Our             contingencies exist and are they being met?\nobjectives were to determine whether NCUA is accurately\nmaintaining and storing OPFs, and to evaluate the agency\xe2\x80\x99s         ENCRYPTION REVIEW\nability to migrate to an electronic OPF system. We issued a\ndraft report for comment in September 2007.                        Following numerous incidents involving the compromise or\n                                                                   loss of sensitive personal information, OMB issued\n                                                                   memorandum M-06-16 requiring agencies to take specific\n                                                                   actions to protect personally identifiable information. In\n\n                              23                                                                 24\n\x0c2006, the NCUA OIG completed fieldwork and subsequently\nissued a report regarding NCUA\xe2\x80\x99s compliance with M-06-16\n(OIG-07-01). During this limited scope review and the 2006                   INVESTIGATIVE ACTIVITY\nFISMA audit, the OIG identified several weaknesses\nregarding the use of encryption at NCUA.\n                                                                 In accordance with professional standards and guidelines\nIn this follow-up review we will determine if NCUA is            established by the Department of Justice, the OIG conducts\nadequately protecting sensitive electronic data. Specifically,   investigations of criminal, civil, and administrative wrongdoing\nwe will be reviewing examiner notebooks, USB drives, and         involving agency programs and personnel. Our investigative\nother media to determine if sensitive credit union member        program focuses on activities designed to promote economy,\ndata obtained during examinations are stored in an               effectiveness, and efficiency, as well as fighting fraud, waste,\nencrypted format. We initiated a follow-up review of this        and abuse in agency programs. In addition to our efforts to\narea in July 2007.                                               deter misconduct and promote integrity awareness among\n                                                                 agency employees, we investigate referrals and direct reports\n                                                                 of employee misconduct. Investigations may involve possible\nSIGNIFICANT AUDIT RECOMMENDATIONS ON WHICH                       violations of regulations regarding employee responsibilities\nCORRECTIVE ACTION HAS NOT BEEN COMPLETED                         and conduct, Federal criminal law, and other statutes and\n                                                                 regulations pertaining to the activities of NCUA employees.\nAs of September 31, 2007, there were no significant audit\nrecommendations on reports issued over six months ago that       Moreover, we receive complaints from credit union members\nhave not been either fully implemented or are in the process     and officials that involve NCUA employee program\nof implementation.                                               responsibilities. We examine these complaints to determine\n                                                                 whether there is any indication of NCUA employee\n                                                                 misconduct. If not, we refer the complaint to the appropriate\n                                                                 regional office for response, or close the matter if contact\n                                                                 with the regional office indicates that the complaint has\n                                                                 already been appropriately handled.\n\n                                                                 OIG HOTLINE CONTACTS\n\n                                                                 The OIG maintains a toll free hotline to enable employees and\n                                                                 citizens to call with information about waste, fraud, abuse or\n                                                                 mismanagement involving agency programs or operations.\n                                                                 We also receive complaints through an off-site post office\n                                                                 box, from electronic mail, and facsimile messages.          All\n\n                             25                                                                26\n\x0c                                                                 false representations on his NCUA employment application.\ninformation received from any of these sources is referred to\n                                                                 The OIG investigated and found the allegations to be\nas a hotline contact. The OIG hotline program is handled by\n                                                                 unsubstantiated.\nour Office Manager, under the direction of our Director of\nInvestigations. The majority of hotline contacts are from\n                                                                 ABUSE OF AUTHORITY\nconsumers seeking help with a problem with a credit union.\nThese contacts are referred to the appropriate NCUA regional\noffice for assistance.    During this reporting period, we       The OIG received an allegation that an NCUA senior official\nreferred 152 consumer complaints to regional offices. Also       had abused his authority and shown preferential treatment.\nduring this reporting period, we referred one allegation back    The OIG conducted an initial review during which some of the\nto agency management for action.                                 allegations were disproved and others were unsubstantiated.\n                                                                 During the review, the complainant withdrew the allegations\nINVESTIGATIONS                                                   and the matter was closed to the file.\n\n                                                                 SEXUAL HARASSMENT\nDuring the last reporting period the Office of Investigations\ninitiated five new matters and closed four.\n                                                                 The OIG received an allegation that an NCUA Examiner\n                                                                 sexually harassed several women.   This investigation is\nMISUSE OF GOVERNMENT ISSUED CREDIT CARD\n                                                                 ongoing.\n\nDuring the last reporting period, we reported a referral from    ABUSE OF FAIR DEBT COLLECTION ACT\nan NCUA Regional Office of allegations that an employee had\nbeen misusing her Government issued credit card. This\n                                                                 The OIG received numerous allegations from a former NCUA\nemployee had previously been the subject of an OIG\n                                                                 Examiner claiming that the agency had falsely denied him\ninvestigation for the same offense. The previous investigation\n                                                                 leave and had failed to advise him that he owed the agency\ndetermined that the employee had repeatedly misused her\n                                                                 money after he retired. The former Examiner further alleged\ncredit card for personal purchases and in that case the\n                                                                 that this resulted in damage to his credit report and was\nagency imposed a three day suspension.               In this\n                                                                 seeking recompense.       The OIG reviewed the matter and\ninvestigation, the OIG again determined that the employee\n                                                                 found the allegations to be without merit.\nhad repeatedly misused her credit card. During this reporting\nperiod, the employee was suspended for 20 days.\n                                                                 OFFICE OF SPECIAL COUNSEL REQUEST\nFALSE STATEMENTS\n                                                                 The OSC referred to the OIG a whistleblower allegation\n                                                                 concerning the agency\xe2\x80\x99s policies and practices related to\nDuring this reporting period, the OIG received an allegation\n                                                                 documenting and compensating employee hours of work.\nthat an NCUA employee may have made false statements and\n                                                                 This matter is ongoing.\n\n                             27                                                              28\n\x0c   LEGISLATIVE AND REGULATORY REVIEWS                                                                     Joint Interagency Proposed Guidance on\n                                                                                                           Garnishment Federal Benefit Payments\n                                                                                                             Proposed Illustrations of Consumer\n                                                                                                        Information for Subprime Mortgage Lending\n   Section 4(a) of the Inspector General Act requires the\n                                                                             12 CFR Parts 703 and 704       Proposed Rule: \xe2\x80\x9cPermissible Foreign\n   Inspector General to review existing and proposed legislation                                          Currency Investments for Federal Credit\n   and regulations relating to the programs and operations of                                               Unions and Corporate Credit Unions\n   the NCUA and to make recommendations concerning their                         12 CFR Part 701           \xe2\x80\x9cPurchase, Sale, and Pledge Of Eligible\n   impact. Moreover, we routinely review proposed agency                                                            Obligations\xe2\x80\x9d-Comments\n   instructions and other policy guidance, in order to make                      12 CFR Part 701          \xe2\x80\x9cChartering and Field of Membership for\n   recommendations concerning economy and efficiency in the                                                  Federal Credit Unions\xe2\x80\x9d - Comments\n   administration of NCUA programs and operations and the                        12 CFR Part 701            \xe2\x80\x9cReincorporation of FCU Bylaws Into\n   prevention and detection of fraud, waste and abuse.                                                        NCUA Regulations\xe2\x80\x9d - Comments\n                                                                                 12 CFR Part 701             \xe2\x80\x9cMember Inspection of Credit Union\n                                                                                                         Books, Records and Minutes\xe2\x80\x9d - Comments\n   During the reporting period, the OIG reviewed 14 items,\n                                                                                12 CFR Part 708b                \xe2\x80\x9cDisclosure of Merger Related\n   including proposed and final legislation and regulations, and                                        Compensation Arrangements\xe2\x80\x9d \xe2\x80\x93 Comments\n   comments to proposed regulations. The OIG also responded\n   to three Freedom of Information Act requests.\n\n\n   SUMMARY OF STATUTES AND REGULATIONS REVIEWED\n      Legislation/E.O.                           Title\n       H.R. 928, S. 1783    \xe2\x80\x9cThe Improving Government Accountability Act\xe2\x80\x9d\n            S. 680            \xe2\x80\x9cAccountability in Government Contracting\n                                              Act of 2007\xe2\x80\x9d\n        H.R. 3268           \xe2\x80\x9cGovernment Accountability Office Act of 2007\xe2\x80\x9d\n\n\n\n   Regulations/Rulings                           Title\n      12 CFR 701.3          Final Rule: \xe2\x80\x9cMember Inspection of Credit Union\n                                     Books, Records and Minutes\xe2\x80\x9d\n 12 CFR Parts 748 and 749      Final Rule: \xe2\x80\x9cCatastrophic Act Reporting;\n                                    Records Preservation Program\xe2\x80\x9d\n12 CFR Parts 701, 703, 707,       Final Rule: \xe2\x80\x9cTechnical Corrections\xe2\x80\x9d\n   710, 722, 723 and 742\n\n\n                                   29                                                                        30\n\x0c                                          TABLE I                                                                          TABLE II\n\n                  INSPECTOR GENERAL ISSUED REPORTS                                            INSPECTOR GENERAL ISSUED REPORTS WITH\n                       WITH QUESTIONED COSTS                                              RECOMMENDATIONS THAT FUNDS BE PUT TO BETTER USE\n                                                    Number of   Questioned Unsupported                                                            Number of   Dollar\n                                                     Reports      Costs       Costs                                                                Reports    Value\n            For which no management decision\nA.             had been made by the start                                                           For which no management decision had\n                                                                                           A.\n                 of the reporting period.              0           $0          $0               Been made by the start of the reporting period.      0         $0\n\nB.                    Which were issued\n               during the reporting period.            0            0           0          B.    Which were issued during the reporting period.      0          0\n\n                      Subtotals (A + B)                0            0\n                                                                                                                 Subtotals (A + B)                   0          0\nC.           For which management decision\n       was made during the reporting period.           0            0           0                 For which management decision was made\n     (i)      Dollar value of disallowed                                                   C.\n                                                                                                            during the reporting period.             0          0\n              costs                                    0            0           0\n     (ii)        Dollar value of                                                                  (i)          Dollar value of recommendations\n                   costs not disallowed                0            0           0                           agreed to by management.                N/A        N/A\n            For which no management decision\nD.                    has been made by\n                                                                                                  (ii)         Dollar value of recommendations\n              the end of the reporting period.         0            0           0\n                                                                                                           not agreed to by management.             N/A        N/A\n            Reports for which no management\nE.                    decision was made\n                                                                                                 For which no management decision was made\n              within six months of issuance.           0            0           0          D.\n                                                                                                         by the end of the reporting period.         0          0\n\n Questioned costs are those costs the OIG has questioned because of\n                                                                                                 For which no management decision was made\n alleged violations of laws, regulations, contracts, or other agreements;                  E.\n                                                                                                           within six months of issuance.            0          0\n findings which at the time of the audit are not supported by adequate\n documentation; or the expenditure for the intended purpose is unnecessary               Recommendations that "Funds to be Put to Better Use" are those OIG\n or unreasonable.                                                                        recommendations that funds could be used more efficiently if management\n Unsupported costs (included in "Questioned Costs") are those costs the OIG              took    actions    to     reduce    outlays,      de-obligate    funds from\n has questioned because of the lack of adequate documentation at the time                programs/operations, avoid unnecessary expenditures noted in pre-award\n of the audit.                                                                           reviews of contracts, or any other specifically identified savings.\n\n\n\n\n                                               31                                                                                 32\n\x0c                              TABLE III\n\n                 SUMMARY OF OIG ACTIVITY                                         INDEX OF REPORTING REQUIREMENTS\n            APRIL 1 THROUGH SEPTEMBER 30, 2007\n                                                                                SECTION                    DATA REQUIRED                           PAGE REF\n                 PART I \xe2\x80\x93 AUDIT REPORTS ISSUED                                   4(a)(2)              Review of Legislation and Regulations           29\n                                                                                 5(a)(1)          Significant Problems, Abuses, or Deficiencies       16\nReport                                                                Date                      Relating to the administration of programs and\nNumber                            Title                              Issued                    Operations disclosed during the reporting period.\n                                                                                 5(a)(3)         Recommendations with Respect to Significant          16\n               NCUA\xe2\x80\x99s Risk Focused Examinations Tracking                                                Problems, Abuses, or Deficiencies.\nOIG-07-06                                                          07/10/2007\n                  Identified Documents of Resolution                             5(a)(3)           Significant Recommendations Described in           25\n                                                                                                     Previous Semiannual Reports on Which\nOIG-07-07                 Real Estate Lending                      09/05/2007                     Corrective Action Has Not Been Completed.\n                                                                                 5(a)(4)         Summary of Matters Referred to Prosecution          None\n              Independent Evaluation of the National Credit                                        Authorities and Prosecutions, Which Have\nOIG-07-08       Union Administration Information Security          09/12/2007                                         Resulted.\n                            Program 2007                                         5(a)(5)        Summary of Each Report to the Board Detailing        None\n             OIG Report to OMB on the National Credit Union                                       Cases Where Access to All Records Was Not\nOIG-07-09                                                          09/12/2007                    Provided or Where Information Was Refused.\n                 Administration Security Program 2007\n                                                                                 5(a)(6)             List of Audit Reports Issued During the          33\n    PART II \xe2\x80\x93 AUDITS IN PROGRESS              (as of September 30, 2007)                                          Reporting Period.\n                                                                                 5(a)(7)          Summary of Particularly Significant Reports.        16\n                                 Official Personnel Folders\n                                                                                 5(a)(8)             Statistical Tables on Audit Reports With         31\n                   Review of the Office of Small Credit Union Initiatives                                        Questioned Costs.\n                                    Encryption Review                            5(a)(9)             Statistical Tables on Audit Reports With         32\n                                                                                                    Recommendations That Funds Be Put To\n                                                                                                                     Better Use.\n                                                                                5(a)(10)       Summary of Each Audit Report Issued Before the        None\n                                                                                           Start Of the Reporting Period for Which No Management\n                                                                                             Decision Has Been Made by the End of the Reporting\n                                                                                                                       Period.\n                                                                                5(a)(11)           Description and Explanation of Reasons for        None\n                                                                                                 any Significant Revised Management Decision\n                                                                                                       Made During the Reporting Period.\n                                                                                5(a)(12)       Information Concerning Significant Management         None\n                                                                                                 Decisions With Which the Inspector General is\n                                                                                                                  in Disagreement.\n\n\n\n\n                                      33                                                                            34\n\x0c\x0c'